Skip to content
Support
  • There are no suggestions because the search field is empty.

MacOS Add Ons- PlatformSSO - Secure Enclave

MacOS : Understanding PlatformSSO Secure Enclave in Devicie 

 

Overview: 

Platform SSO is a Microsoft Entra feature that enhances the Microsoft Enterprise SSO plug-in uses hardware-bound cryptographic keys and the SSO app extension.

 

 

Secure Enclave has more features than the Password method

- Passwordless (phishing resistant)    

- TouchID supported for unlock    

- Can be used as passkey    

- MFA mandatory for setup

- Supported on macOS 14.x +    

- Optionally, allow new users to log in with Entra ID credentials (macOS 14.x +)    

 

One feature that is not allowed is "Local Mac password synced with Entra ID" as designed. 

 

Pre-Requisites:

Ensure that per-user MFA is not enabled for users. Transition to Conditional Access MFA in accordance with Microsoft Entra ID recommendations.

  • Macs must be running macOS 15 and above

  • Ensure that password autofill is not being disabled by any security baselines or settings.

Recommended Assignment Target:

Assign to All Devices, exclude Shared Devices

 

Variable Settings:

Name Purpose Type Default Value
LAPS Admin Username The list of local accounts that aren't subject to FileVault Policy, Login Policy, or Unlock Policy. array of strings ["ladvc"]

 

Base Settings: 

Setting Description Value
Extension Identifier The bundle identifier of the app extension that performs SSO for the specified URLs. com.microsoft.CompanyPortalMac.ssoextension

TeamIdentifier

The team identifier of the app extension. This key is required on macOS and ignored elsewhere.

 UBF8T346G9
Type The type of SSO. Redirect
Screen Locked Behavior If set to Cancel, the system cancels authentication requests when the screen is locked. If set to DoNotHandle, the request continues without SSO instead. DoNotHandle
URLs An array of URL prefixes of identity providers where the app extension performs SSO. Required for Redirect payloads. https://login.microsoftonline.com, https://login.microsoft.com, https://sts.windows.net, https://login-us.microsoftonline.com, https://login.microsoftonline.us, https://login.usgovcloudapi.net
Platform SSO Use Shared Device Keys If true, the system uses the same signing and encryption keys for all users. Only supported on the device channel. True
Platform SSO Account Display Name The display name for the account in notifications and authentication requests. Microsoft Entra ID
Platform SSO Authentication Method The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. User Secure Enclave Key
Extension Data browser sso interaction enabled Keys and values to pass to the app extension. 1
Extension Data disable explicit app prompt Keys and values to pass to the app extension. 1
Extension Data App Prefix Allow List Keys and values to pass to the app extension. com.microsoft.,com.apple.
Registration Token The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider.


Steps:

  1. Deploy macOS AddOn - PlatformSSO (Secure Enclave) and assign it to the wanted group.

  2. Shortly after the device receives the new profile, the user will be prompted to register to Microsoft Entra.

  3. There's a Registration required notification that shows in the Notification Center.

     Screenshot that shows the registration required prompt on end user devices when you configure Platform SSO in Microsoft Intune.

    End users select this notification, sign in to the Microsoft Entra ID plug-in with their organization account, and complete multi-factor authentication (MFA), if required.

  4. An additional step is required in order to complete Secure Enclave registration - the end-user must approve Company Portal to use Autofill.

     

  5. The user will be presented with instructions on how to do this:

Cannot be done by the MDM / Automatically and must be done by the end-user

Expected Behavior

1. Once registration is complete all SSO enabled browsers automatically sign you in to MS services
- Safari does this even in private browser mode
2. Microsoft and Apple apps auto login. Other SSO enabled apps can be added - our standard baselines
for Google Chrome and Firefox ensure that SSO is enabled.


More Info:

Platform SSO configuration guide for macOS devices using Microsoft Intune
Protecting keys with the Secure Enclave